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Abstract. We show that a linear decomposition attack based on the 
decomposition method introduced by the first author in monography [T] 
and papers m, [3], and developed in [3] , works by finding the exchanging 
key in the protocol in [5]. 


1. Introduction 

In this note we apply a practical deterministic attack on the protocol pro¬ 
posed in [5]. This kind of attack introduced by the first author in m, m, 
[3] and developed in [1] works when the platform objects are linear. It turns 
out that in this case, contrary to the common opinion (and some explicitly 
stated security assumptions), one does not need to solve the underlying al¬ 
gorithmic problems to break the scheme, i.e., there is another algorithm that 
recovers the private keys without solving the principal algorithmic problem 
on which the security assumptions are based. The efficacy of the attack 
depends on the platform group, so it requires a specific analysis in each par¬ 
ticular case. In general one can only state that the attack is in polynomial 
time in the size of the data, when the platform and related groups are given 
together with their linear representations. In many other cases we can ef¬ 
fectively use known linear presentations of the groups under consideration. 
A theoretical base for the decomposition method is described in [4j where a 
series of examples is presented. The monography [I] solves uniformly many 
protocols based on the conjugacy search problem, protocols based on the 
decomposition and factorization problems, protocols based on actions by 
automorphisms, and a number of other protocols. See also [6] and [7] where 
the linear decomposition attack is applied to the main protocols in m, 0, 
and [To] . 

In a series of works m, m and m (see also [13]) Tsaban presented 
another general approach for provable polynomial time solutions of compu¬ 
tational problems in groups with efficient, faithful representation as matrix 
groups. 

All along the paper we denote by N the set of all nonnegative integers, 
and by C the set of all complex numbers. 
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2. Andrecut’s key exchange protocol [5]. 

In this section, we describe the Andrecut’s key exchange protocol pro¬ 
posed in [5]. Firstly we introduce a necessary terminology. Then we will 
give a cryptanalysis of this protocol. 

Let X € £_nxn ^ complex matrix of size n x n, that is considered as a 
variable. Let 


P{X,a) 


M 

Y^amX^ 

m=l 


K 

andQ(A,6) = ^bmX^ 

m=l 


be two complex polynomials in X uniquely defined by the complex vectors 
of coefficients a = (ao,..., aju) and b = {bo, ■ ■ ■, bx)- 

• Alice chooses the secret vectors a G and a G (Alice’s 

private key). 

• Alice randomly generates and publishes the matrix U G (Al¬ 

ice’s matrix public key). 

• Bob chooses the secret vectors b G and b G (Bob’s private 
key). 

• Bob randomly generates and publishes the matrix V G (Bob’s 

matrix public key). 

• Alice computes and publishes the matrix A = P{U, a)P{V, a) (Alice’s 
public key). 

• Bob computes and publishes the matrix B = P{U, b)P{V, b) (Bob’s 
public key). 

• Alice calculates the secret matrix Ka = P{U,a)BP{V,a). 

• Bob calculates the secret matrix Kb = P{U,b)AP{V,b). 

• The established secret key is K = Ka = Kb- 

It is assumed in [5], that the matrices U and V are different to give 
the non-commutativity assumption P{U,a)P{V,b) / P{V,b)P{U,a) and 
P{U,a)P{y,b) / Piy,b)P{U,a). In general, even more strong assumption 
UV 7 ^ VU is not enough for this non-commutativity. 

Also, there is a remark in [5] that the following assumption 


Ml, M2, Ji, J2 S> n 


should be satisfied in order to increase the security. But by the classical 
Cayley-Hamilton theorem every matrix [/ is a root of its own characteristic 
polynomial C{X) = det(f7 — X - In), where In is the identity matrix of size 
n X n. The degree of C{X) is exactly n. Then for any matrix U G 
and every matrix polynomial P{X, a) one has P{U, a) = R{U), where R{X) 
is the remainder after division of the polynomial P{X,a) by C{X). Hence, 
there is no sense to use in the protocol above polynomials of degrees > n. 
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3. Cryptanalysis of the Andrecut’s key exchange protocol [5]. 


We will provide two approaches to cryptanalysis of the protocol described 
in the previous section. The first one is based on some simple facts from 
linear algebra and the second one is based on a linear decomposition attack. 

As we have seen in the previous section, there is no sense to use values 
Ml, M 2 , Ji, J 2 > n. Thus we can assume that Mi = M 2 = Ji = J 2 = u — 1. 
Consider the linear systems 

n—1n—1 

A = 

i=l j=l 

(3.1) 

n—1n—1 

rl 




k=l1=1 


Vkl 


of equations with (n — 1)^ unknowns Xij and yj-i. Having a solution of 
the systems (j3.ip one can compute the secret key as follows 


K = P{U, a)P{U, b)P{V, d)P{V, b) 


(3.2) 


^n—ln—1 \ /n—ln—1 \ 

EE aibjU^+^ EE dkbiV’^B j 

^2=1 j = l J \k=l 1 = 1 / 

72—1 72—1 72—1 72—1 

EEEE 

i=l j=l k=l 1=1 


Solution of a system of n equations with n unknowns using Gauss elimination 
requires O(n^) time. Thus solution of the systems (13.11) requires O(n^) time. 
Having precomputed values C* and H*, for i = l,...,n — 1, one can perform 
the step (j3.2|) in 0{'nJ) time. So the overall time complexity for this approach 
is 0{'n7). 

Further we will describe the second approach based on a linear decom¬ 
position attack. The algebra has a structure of a vector space over C 

of dimension n^. Let U be the semigroup generated by U, and let V be the 
semigroup generated by V. A basis of the subspace Sp{UV) can be effectively 
constructed as follows. Let 


Bq — 1 

Li = {U,V}, 


Li = {U’^V^ Ikjen, k + l = i}, 


be the sets of matrices considered as vectors. Define 

Hi = Sp(LoULiU---ULi), 
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for i = 0,1,... , the vector space spanned by the indicated set. We choose a 
basis Bq = {ho = In} of Vb, then extend Bq to basis Bi of Vi, and so on. If 
for some iq we get Bi^ = i?io+i, then clearly B = Bi^ is a basis of SpiUV). 
By the Cayley-Hamilton theorem one has ig < 2n — 2. In construction of B 
we only use the Gauss elimination process that is polynomial. Note, that we 
can do it offline, so we will call this phase the offline phase. Let bo,bi,... ,br 
be a basis of Sp{UV), where bi = Now we are ready to recover the 

secret key K {online phase). 

• Since B G Sp{UV) we can use the Gauss elimination process to 
obtain a presentation of B in the form 

r 

( 3 . 3 ) B = ^aiU^^V^\ ateC. 

i=0 

• Then we have 


(3.4) 


i=0 


aiU^^P{U, a)P{V, a)y'* 

i=0 


P{U,a) 


A=0 


P{U,a)BP{V,a) = K. 


P{V,a) 


Note that a similar protocol by Stickel [E] has been analyzed in [4]. A 
linear decomposition attack based on the decomposition method has been 
applied. 

Now we will provide a rough estimate for the time complexity of the 
approach above. Observe that the number of the field operations in Gauss 
elimination performed on a matrix of size A; x is 0{k‘^n^). A basis of 

Sp{UV) consist of at most elements, so it requires 0{n^ X]fc=i = 
0{n^) time to construct it. Computing ctj in (13.311 by solving a system 
of linear equations using Gauss elimination requires 0(n®) time. Having 
precomputed values and for i = 0,..., r, one can perform the step 
(j3.4ll in 0{n^) time. So the offline phase could be done in 0{n^) time, the 
online phase could be done in 0{n^) time, and the overall time complexity 
is 0(n®). 
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